Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornette - Digitribe - 18-12-18

1. Security & data privacy by design for new
applications development
Philippe Cornette
Partner

2. | 2
DigiTribe is an IT & business Consulting company
specialized in Digital enablement & execution
30+ Hands-on Experts & former C-level managers
3 Tribes: Cybersecurity, Digital enablement, Data Science
Customers: Large & Mid-sized organizations & Fintech
Mission
Bring innovation, relevant digital practices and start-
up mindset to large corporate organizations

3. | 32018 | DigiTribe | Confidential
63% of data breaches linked to a third-party component
56% of companies have experienced a 3rd-party breach in 2017
Data security laws and regulators increasingly require Banks & Insurance companies to perform sufficient
oversight of their third-party vendor’s data security protocols
By 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a Board-level
initiative(Source: Gartner)
IOT, Open Banking APIs under PSD2, outsourcing, … and the FINTECHs create new risks & opportunities
EBA & NBB
“While staying behind and ignoring fintech is a real risk for banks, they should still tread carefully when
implementing fintech or, of course, any change. Banks should fully take into account the EBA’s 2018 “report on
the prudential risks and opportunities arising for institutions from fintech” when considering, implementing or
using fintech technologies, in the sense that they should take the necessary precautions to avoid, mitigate or
reduce certain risks.”
Why Financial institutions are increasing the number of
Information Security Due Diligences / TPSA ?

4. | 42018 | DigiTribe | Confidential

5. | 52018 | DigiTribe | Confidential
Reduce the risk of information security incidents
Ensure that their offerings are secure and dependable
Gain active assurance that suppliers are protecting their data
Comply with legal and policy requirements
Enable informed decision making when selecting new suppliers
What do your customers expect ?

6. | 62018 | DigiTribe | Confidential
Entry ticket for new contracts (Third-party assessment,
due diligence requirements)
Compliance (e.g. GDPR, NIS, PCI DSS,…)
Key differentiator / marketing advantages
Reduce costs of fixing bugs
Why security by design is important for the
Fintechs

7. | 72018 | DigiTribe | Confidential
Defense in Depth

8. | 82018 | DigiTribe | Confidential
System layers where security may be compromised

9. | 92018 | DigiTribe | Confidential
Software Security requirements

10. Security by Design principles
• Secure the weakest link
• Minimize attack surface area
• Establish secure defaults
• Principle of Least privilege
• Principle of Defense in depth
• Fail securely
• Don’t trust services
• Separation of duties
• Avoid security by obscurity
• Keep security simple
• Fix security issues correctly
• Promote privacy | 10

11. | 11
Secure SDLC

12. | 122018 | DigiTribe | Confidential
Requirements
• Do you gather security objectives?
• How are they mapped to the rest of the design process?
Design
• Does your team conduct security architecture and design reviews?
• Do you use checklists to drive the process? Do you revise them over time?
• Does your team create threat models to understand and prioritize risk?
Coding
• Does your team use a formalized set of security coding best practices?
• What type of code scanning tools do you use?
• Do you perform code reviews against security best practices?
Testing
• Does your team conduct 3rd party or internal penetration tests?
• Are your testers QA trained on the latest attack trends and test techniques?
• Do you use security testing tools?
Questions to ask yourself

13. Secure coding

14. Secure Coding
Secure software does not happen by itself. It requires consistently applied
methodologies across the organization
Securing coding is the practice of developing computer software in a way that
guards against the accidental introduction of security vulnerabilities. Defects, bugs
and logic flaws are consistently the primary cause of commonly exploited software
vulnerabilities.
This includes acceptance tests for third-parties code (e.g. : libraries downloaded
from internet)

15. | 152018 | DigiTribe | Confidential
The importance of knowing how to code with style… guide

16. | 162018 | DigiTribe | Confidential
Coding Standards Benefits
• Code Clarity/Easier to Understand
• Easier to Maintain
• Reduces Bugs
• Simplifies Code Reviews
• Shorter learning curve for new team members
• Consistency across large and distributed teams
• Comply with internal or regulatory quality initiatives
Business Benefits
• Improve software quality
• Accelerate time to market
• Enhance customer satisfaction
• Reduce long term cost
• Improve productivity
Coding Style guide

18. | 182018 | DigiTribe | Confidential
Component
• The average application consists of 106 open source components.
Vulnerability
• A typical application contains 23 known vulnerabilities.
License
• Most applications indicate at least 8 GPL licensed components.
Architecture
• Many components in use are old, unsupported, and unpopular.
The need for open source security management became front-page news in 2017
owing to a major data breach at Equifax (Consumer credit rating agency).
The breach (due to a Apache Struts security hole) has compromised the information
of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than
19,000 Canadian customers.
Open Source Security

19. Open source, Libraries and Frameworks: Best Practices
• Use libraries and frameworks from trusted sources actively maintained and
widely used.
• Create and maintain an inventory catalogue of all the third party libraries.
• Proactively keep libraries and components up to date; use tools, like OWASP
Dependency Check, Retire.JS, to identify project dependencies and check if
there are known, publicly disclosed vulnerabilities for all third party code.
• Reduce the attack surface by encapsulating the library and expose only the
required behaviour into your software.
• Manage your technical debt
• Create a concise Open Source Security Policy

20. | 202018 | DigiTribe | Confidential

21. | 212018 | DigiTribe | Confidential
Risk, Cybersecurity & GDPR assessment & gap analysis
(ISO27001, NIST, SWIFT CSP, GDPR,…)
IT Strategy, architecture and governance
Cybersecurity strategy, roadmap & implementation
CISO & DPO as a service
Support to answer TPSA
Third-party assessment of your suppliers
Partnership on solutions with our customers
Second opinion as a service
What can Digitribe do for you ?

22. To contact us
www.digitribe.be philippe.cornette@digitribe.be +32 478403012
| 222018 | DigiTribe | Confidential